aboutsummaryrefslogtreecommitdiffstats
path: root/package/firewall
diff options
context:
space:
mode:
authorJo-Philipp Wich <jow@openwrt.org>2010-07-31 13:25:56 +0000
committerJo-Philipp Wich <jow@openwrt.org>2010-07-31 13:25:56 +0000
commit5b365822f3249c4b7f0304ee5c9f526e1ba1c695 (patch)
tree32bbfffe8ca5e11125cdab88c25670aea84e360f /package/firewall
parentd68e09200e223c466a03242307c97abd25849d82 (diff)
downloadupstream-5b365822f3249c4b7f0304ee5c9f526e1ba1c695.tar.gz
upstream-5b365822f3249c4b7f0304ee5c9f526e1ba1c695.tar.bz2
upstream-5b365822f3249c4b7f0304ee5c9f526e1ba1c695.zip
firwall: fix nat reflection for zones covering multiple networks
SVN-Revision: 22442
Diffstat (limited to 'package/firewall')
-rw-r--r--package/firewall/files/reflection.hotplug90
1 files changed, 56 insertions, 34 deletions
diff --git a/package/firewall/files/reflection.hotplug b/package/firewall/files/reflection.hotplug
index 605ac7c991..af88fe0243 100644
--- a/package/firewall/files/reflection.hotplug
+++ b/package/firewall/files/reflection.hotplug
@@ -1,5 +1,4 @@
#!/bin/sh
-# Setup NAT reflection rules
. /etc/functions.sh
@@ -16,6 +15,26 @@ if [ "$ACTION" = "ifup" ] && [ "$INTERFACE" = "wan" ]; then
iptables -t nat -A postrouting_rule -j nat_reflection_out
}
+ find_networks() {
+ find_networks_cb() {
+ local cfg="$1"
+ local zone="$2"
+
+ local name
+ config_get name "$cfg" name
+
+ [ "$name" = "$zone" ] && {
+ local network
+ config_get network "$cfg" network
+
+ echo ${network:-$zone}
+ return 1
+ }
+ }
+
+ config_foreach find_networks_cb zone "$1"
+ }
+
setup_fwd() {
local cfg="$1"
@@ -26,49 +45,52 @@ if [ "$ACTION" = "ifup" ] && [ "$INTERFACE" = "wan" ]; then
local dest
config_get dest "$cfg" dest "lan"
- local lanip=$(uci -P/var/state get network.$dest.ipaddr)
- local lanmk=$(uci -P/var/state get network.$dest.netmask)
+ local net
+ for net in $(find_networks "$dest"); do
+ local lanip=$(uci -P/var/state get network.$net.ipaddr)
+ local lanmk=$(uci -P/var/state get network.$net.netmask)
- local proto
- config_get proto "$cfg" proto
+ local proto
+ config_get proto "$cfg" proto
- local epmin epmax extport
- config_get extport "$cfg" src_dport
- [ -n "$extport" ] || return
+ local epmin epmax extport
+ config_get extport "$cfg" src_dport
+ [ -n "$extport" ] || return
- epmin="${extport%[-:]*}"; epmax="${extport#*[-:]}"
- [ "$epmin" != "$epmax" ] || epmax=""
+ epmin="${extport%[-:]*}"; epmax="${extport#*[-:]}"
+ [ "$epmin" != "$epmax" ] || epmax=""
- local ipmin ipmax intport
- config_get intport "$cfg" dest_port "$extport"
+ local ipmin ipmax intport
+ config_get intport "$cfg" dest_port "$extport"
- ipmin="${intport%[-:]*}"; ipmax="${intport#*[-:]}"
- [ "$ipmin" != "$ipmax" ] || ipmax=""
+ ipmin="${intport%[-:]*}"; ipmax="${intport#*[-:]}"
+ [ "$ipmin" != "$ipmax" ] || ipmax=""
- local exthost
- config_get exthost "$cfg" src_dip "$wanip"
+ local exthost
+ config_get exthost "$cfg" src_dip "$wanip"
- local inthost
- config_get inthost "$cfg" dest_ip
- [ -n "$inthost" ] || return
+ local inthost
+ config_get inthost "$cfg" dest_ip
+ [ -n "$inthost" ] || return
- [ "$proto" = tcpudp ] && proto="tcp udp"
+ [ "$proto" = tcpudp ] && proto="tcp udp"
- local p
- for p in ${proto:-tcp udp}; do
- case "$p" in
- tcp|udp)
- iptables -t nat -A nat_reflection_in \
- -s $lanip/$lanmk -d $exthost \
- -p $p --dport $epmin${epmax:+:$epmax} \
- -j DNAT --to $inthost:$ipmin${ipmax:+-$ipmax}
+ local p
+ for p in ${proto:-tcp udp}; do
+ case "$p" in
+ tcp|udp)
+ iptables -t nat -A nat_reflection_in \
+ -s $lanip/$lanmk -d $exthost \
+ -p $p --dport $epmin${epmax:+:$epmax} \
+ -j DNAT --to $inthost:$ipmin${ipmax:+-$ipmax}
- iptables -t nat -A nat_reflection_out \
- -s $lanip/$lanmk -d $inthost \
- -p $p --dport $ipmin${ipmax:+:$ipmax} \
- -j SNAT --to-source $lanip
- ;;
- esac
+ iptables -t nat -A nat_reflection_out \
+ -s $lanip/$lanmk -d $inthost \
+ -p $p --dport $ipmin${ipmax:+:$ipmax} \
+ -j SNAT --to-source $lanip
+ ;;
+ esac
+ done
done
}
}